Amendments to the Claims 

Replace all prior versions and listings of claims in the application with the following list of 
claims. 



1. (currently amended) A» A digital computing apparatus capable of detecting and 
preventing a plurality of rate based and non rate based denial of service attacks, said 
apparatus comprising: 

a media access controller (MAC) interface; 

a classification means operatively coupled to said MAC interface for classifying data packets 
received from said MAC interface according to Layer 2, Layer 3, and Layer 4 
classifications, said classification means being capable of enforcing Layer 2, Layer 3, and 
Layer 4 accepted header syntax; 

a meter means operatively coupled to said classification means, said meter means having a 
plurality of meters and being capable of maintaining statistics of said attacks and 
determining whether a threshold has been reached; 

a decision multiplexer means operatively coupled to said meter means, said decision multiplexer 
means being capable of accepting decisions from said plurality of meters and informing a 
single decision to said MAC interface; and 

an ager means capable of timing out flood states identified by said classification means or by 
said meter means, said ager means comprising a continuous learning mechanism for 
continuously learning and updating said statistics [[.]] 

a source tracking mechanism multiplicativelv incrementing count for sources that send 
identified flood data , thereby distinguishing said sources from others that send non- 
flood data: 

a SYN flood detection and prevention mechanism having a support means for creating a 
plurality of legitimate IP addresses during normal operation when the TCP state 
transitions to ESTABLISHED- wherein said SYN flood detection and prevention 
mechanism allows only said plurality of legitimate IP addresses to be stored during 
normal operation; 
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a zombie flood detection and prevention mechanism having 

a means for limiting connections to said pluralit y of legitimate IP addresses stored during 

normal operation; and 
a means for determining a threshold for said connections based on baseline traffic learned 

during normal operation. 

2. (original) The apparatus of claim 1, wherein said plurality of meters detect and prevent rate 
based denial of service attacks selected from the group consisting of synchronization 
(SYN) flood, Transmission Control Protocol (TCP) flood, Internet Control and Message 
Protocol (ICMP) flood, User Datagram Protocol (UDP) flood, port scan, source flood, 
destination flood, broadcast flood, Address Resolution Protocol (ARP) flood, Reverse ARP 
(RARP) flood, multicast flood, Virtual Local Area Network (VLAN) flood, double 
encapsulated VLAN flood, protocol flood, Internet Protocol (IP) option flood, fragment 
flood, port flood, Layer 2 floods, Layer 3 floods, and Layer 4 floods. 

3. (original) The apparatus of claim 2, wherein said rate based denial of service attacks are to 
an end node or from said end node to other nodes on the internet. 

Claims 4-7. (cancelled). 

8. (currently amended) The apparatus of claim 1, wherein said ager means coll e ct s 
continuous loarning data for different network characteri s tics monitors said statistics 
maintained bv said plurality of meters . 

9. (currently amended) The apparatus of claim 8, wherein said plurality of meters identify 
whether a threshold of counts for a particular network characteristic has been reached 
for a flood state co rresponding to a packet header value. 

10. (currently amended) The apparatus of claim 9, wherein s aid threshold ha s b ee n r e ach e d 
and said plurality of meters inform said decision multiplexer means to block traffic with 



Page 4 



s niH particular n e twork charact e ristic for a certain tim e p e riod with said packet 
header value. 

Claims 11-20 (cancelled). 

21. (new) A computer-implemented method for rate-based denial of service attack detection, 

the method comprising: 
receiving packets from a network; 

classifying the received packets according to network layer 2, 3, 4 classification; 

metering the classification to produce statistics related to multiple types of attacks; 

creating and storing a table of legitimate IP addresses during normal operation when a TCP state 

transitions to "established"; 
detecting a SYN flood state; 

dropping packets from IP addresses not in the table of legitimate IP addresses during the detected 
SYN flood state; 

detecting a zombie flood state when a number of packets from legitimate IP addresses exceeds a 
threshold; 

and 

dropping packets from IP addresses in the table of legitimate IP addresses during the detected 
zombie flood state. 
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